A Success Story of How We Helped A Leading Healthcare Organization With FIPS 140-2 Compliance Assessment

Company Overview

We worked with one of the top healthcare providers based out of the USA that offers a wide portfolio of health insurance and services to people both nationally and internationally. They manage a global database of thousands of clients and their confidential information. Their network consisted of multiple locations and over 20,000 + employees, maintaining a continuous communication channel with various hospitals and clinics. Their goal was to achieve FIPS 140-2 compliance, and they were seeking support in a thorough assessment across their wide infrastructure that would guide them to take all the necessary steps to meet the compliance.

Challenges  

While working with data, especially in the healthcare sector, protecting the PII (Personally Identifiable Information) and PHI (Protected Health Information) data concerning your patient is a necessity. The core objective of the organization was to get a comprehensive gap assessment of the existing environment, including a thorough review of their current cryptographic standards. They also wanted to get a compliance attestation certificate by thoroughly evaluating the company’s application showcasing their commitment to safeguarding sensitive information.

Once we acquired the relevant information, we performed an in-depth gap analysis by examining their cryptographic controls and standards and evaluating all the crucial aspects of security requirements against the FIPS 140-2 standard. We created a thorough report of the gap analysis we performed. In the report, we pointed out the security gaps that did not meet the FIPS 140-2 standard. We also identified the potential risks associated with the key management process. As we started the assessment, we uncovered a few critical areas that needed attention:

• Our client had some key databases that stored sensitive data where no encryption was applied. This included multiple Oracle and SQL Server databases, which stored sensitive information without any layer of encryption to protect them.   
• They used a single encryption key to encrypt data across several applications and services, including backup databases that created serious security risks. If an attacker broke into one application, they could potentially compromise the encryption key and get access to all other systems using the same key.  
• There was a lack of role-based access control (RBAC) or Identity-based access (IAM) control. These policies let users access sensitive data based on their roles. The company’s setup gave more access than needed. This meant it was easier to access sensitive keys and information than it should have been.  
• The cryptographic policies and standards in place weren’t enough as they did not properly align with the FIPS 140-2 security requirements. The encryption algorithms mentioned were outdated, the cipher suites were weak, and the sizes for encryption keys weren’t big enough to withstand modern cryptographic attacks. This made cryptographic modules vulnerable to potential breaches.  
• They had poor key management practices that lacked adequate access control, multiple uses of a single key across several services and applications, and no proper monitoring of the key usage. These poor key management practices increased the risks of the key being exposed through accidental sharing, misconfiguration, or lack of oversight.

The Solution

Our gap analysis provided a thorough breakdown by pointing out which FIPS security level’s requirements were met by the organization. The report also highlighted the areas that needed improvements to meet the necessary compliance requirements. The gap analysis was done by a detailed study of various application’s data flow diagrams, studying how the data flew from the ingress point to the egress point. We understood how data was handled within the application, whether at rest or in transit.

All the discoveries we made were presented with specific suggestions for improvement. This ensured the organization had a clear path to work on to mitigate the current security gaps. From all our suggestions and recommendations, we supported the healthcare giant to align all its organizational practices with FIPS 140-2 security regulations. This meant updating algorithms, adopting the best practices for key lifecycle management, and generating unique keys for all applications. These are some of the many ways we supported the organization: 

• We modified the cryptographic policies and standards that needed alignment with the FIPS 140-2 standard. We described the specifications for cryptographic modules and updated the outdated algorithms. It ensured that any further applications that would be developed in the future adopted these policies designed to meet the industry best practices.  
• We recommended enabling robust encryption techniques that complied with FIPS 140-2 for both data-at-rest (AES 256/RSA 2048 for encryption) and data-in-transit (TLS 1.2 and above). This safeguarded the sensitive information at every touchpoint.  
• Next, we recommended generating unique encryption keys for each application and the resources that go with it. The process allows the system to successfully isolate by giving each program and component a distinct key. This limits potential exposure and prevents an attacker from endangering the entire application even if they manage to get in that helps to enhance the cryptographic security.   
• To cover the security requirement of roles, services, and authentication, we suggested using the least privileged access control approach for their key management operations via RBAC and IAM for both on-premises and in the cloud, enabling only authorized people to access specific data and important functions. This also meant logically separating required and optional roles.  
• We advised adopting strong authentication mechanisms such as Multi-Factor Authentication to gain access to cryptographic systems and key management interfaces. This helped to add security measures protecting the organization from unauthorized access.  
• We recommended establishing a secure key lifecycle management process, from securely generating (random number generators), distributing, rotating (setting up key validity), and revoking the key to storing encryption keys at Secure cryptographic modules like HSMs and key vaults and monitoring the key usage. 
• For the design assurance of each application in scope, we suggested following a structured process to ensure compliance, which updated cryptographic standards and policy documents. This included ensuring that all module components meet the necessary standards. This was done by maintaining detailed documentation outlining the cryptographic module’s design, implementation, and operational environment.

The Impact

We were able to successfully help our client in achieving FIPS 140-2 compliance. Our assessment and support created a strong foundation for various long-term benefits and strategic goals for the healthcare organization. This assessment has helped the organization to improve its overall security posture and protect sensitive patient information more effectively. The security measures established through this compliance will enable growth and innovation. The organization can now focus on delivering high-quality care while staying secure and compliant. 

• The organization now uses standardized encryption and security measures, earning them the FIPS certification. This lowers the risk of expensive data breaches and the fines that come with them.   
• Moreover, it opened new opportunities for strategic partnerships with technology suppliers and other healthcare providers as the organization now complies with FIPS standards.  
• This initiative has added the best security practices to the organization’s daily operations, reducing the risk of future non-compliance by ensuring continued attention to detail and adherence to regulatory rules.

Conclusion

We built a thorough understanding of our client’s current cryptographic capabilities and limitations to provide specific recommendations to address security gaps. We carefully reviewed the client’s cryptographic policies, processes, and standards and successfully conducted workshops to understand the application’s data flow diagrams, components, and the process of data stored at rest and transferred from one point to another, which in turn helped us to successfully support the organization to meet all the necessary FIPS 140-2 compliance requirements.

Our assessment and strategy, not only helped the organization to meet the compliance requirements, it also equipped the organization to better manage the emerging cyber threats and establish proper security measures which will help them to stay secure and compliant for years to come.